The Cut-and-Choose Game and Its Application to Cryptographic Protocols

The cut-and-choose technique plays a fundamental role in cryptographic-protocol design, especially for secure two-party computation in the malicious model. The basic idea is that one party constructs n versions of a message in a protocol (e.g., garbled circuits); the other party randomly checks some of them and uses the rest of them in the protocol. Most existing uses of cut-and-choose fix in advance the number of objects to be checked and in optimizing this parameter they fail to recognize the fact that checking and evaluating may have dramatically different costs. In this paper, we consider a refined cost model and formalize the cut-and-choose parameter selection problem as a constrained optimization problem. We analyze “cut-and-choose games” and show equilibrium strategies for the parties in these games. We then show how our methodology can be applied to improve the efficiency of three representative categories of secure-computation protocols based on cut-and-choose. We show improvements of up to an-order-of-magnitude in terms of bandwidth, and 12–106% in terms of total time. Source code of our game solvers is available to download at https://github.com/cut-n-choose.

[1]  David Evans,et al.  Obliv-C: A Language for Extensible Data-Oblivious Computation , 2015, IACR Cryptol. ePrint Arch..

[2]  Yehuda Lindell,et al.  An Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries , 2007, Journal of Cryptology.

[3]  Jonathan Katz,et al.  Faster Secure Two-Party Computation Using Garbled Circuits , 2011, USENIX Security Symposium.

[4]  Abhi Shelat,et al.  Two-Output Secure Computation with Malicious Adversaries , 2011, EUROCRYPT.

[5]  David P. Woodruff Revisiting the Efficiency of Malicious Two-Party Computation , 2007, EUROCRYPT.

[6]  Yehuda Lindell,et al.  Implementing Two-Party Computation Efficiently with Security Against Malicious Adversaries , 2008, SCN.

[7]  Claudio Orlandi,et al.  MiniLEGO: Efficient Secure Two-Party Computation from General Assumptions , 2013, EUROCRYPT.

[8]  Yehuda Lindell,et al.  Secure Two-Party Computation via Cut-and-Choose Oblivious Transfer , 2010, IACR Cryptol. ePrint Arch..

[9]  Ben Riva,et al.  Garbled Circuits Checking Garbled Circuits: More Efficient and Secure Two-Party Computation , 2013, IACR Cryptol. ePrint Arch..

[10]  Claudio Orlandi,et al.  LEGO for Two-Party Secure Computation , 2009, TCC.

[11]  Alex J. Malozemoff,et al.  Amortizing Garbled Circuits , 2015, IACR Cryptol. ePrint Arch..

[12]  Yehuda Lindell,et al.  Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings , 2014, CRYPTO.

[13]  Adam D. Smith,et al.  Efficient Two Party and Multi Party Computation Against Covert Adversaries , 2008, EUROCRYPT.

[14]  Benny Pinkas,et al.  Secure Two-Party Computation is Practical , 2009, IACR Cryptol. ePrint Arch..

[15]  Steven Myers,et al.  GPU and CPU parallelization of honest-but-curious secure two-party computation , 2013, ACSAC.

[16]  Mihir Bellare,et al.  Efficient Garbling from a Fixed-Key Blockcipher , 2013, 2013 IEEE Symposium on Security and Privacy.

[17]  Abhi Shelat,et al.  Billion-Gate Secure Computation with Malicious Adversaries , 2012, USENIX Security Symposium.

[18]  Benny Pinkas,et al.  Non-Interactive Secure Computation Based on Cut-and-Choose , 2014, IACR Cryptol. ePrint Arch..

[19]  Stratis Ioannidis,et al.  GraphSC: Parallel Secure Computation Made Easy , 2015, 2015 IEEE Symposium on Security and Privacy.

[20]  Abhi Shelat,et al.  Fast two-party secure computation with minimal assumptions , 2013, CCS.

[21]  Jonathan Katz,et al.  Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose , 2013, CRYPTO.

[22]  Stefan Katzenbeisser,et al.  Faster Secure Computation through Automatic Parallelization , 2015, USENIX Security Symposium.

[23]  Arash Afshar,et al.  How to Efficiently Evaluate RAM Programs with Malicious Security , 2014, EUROCRYPT.

[24]  Luís T. A. N. Brandão,et al.  Secure Two-Party Computation with Reusable Bit-Commitments, via a Cut-and-Choose with Forge-and-Lose Technique , 2013, IACR Cryptol. ePrint Arch..

[25]  Yehuda Lindell,et al.  Fast Garbling of Circuits Under Standard Assumptions , 2015, Journal of Cryptology.

[26]  Yehuda Lindell Fast Cut-and-Choose-Based Protocols for Malicious and Covert Adversaries , 2015, Journal of Cryptology.

[27]  David Evans,et al.  Two Halves Make a Whole - Reducing Data Transfer in Garbled Circuits Using Half Gates , 2015, EUROCRYPT.

[28]  Yehuda Lindell,et al.  Blazing Fast 2PC in the Offline/Online Setting with Security for Malicious Adversaries , 2015, IACR Cryptol. ePrint Arch..

[29]  Yan Huang,et al.  Revisiting LEGOs: Optimizations, Analysis, and their Limit , 2015, IACR Cryptol. ePrint Arch..

[30]  Kartik Nayak,et al.  ObliVM: A Programming Framework for Secure Computation , 2015, 2015 IEEE Symposium on Security and Privacy.